diff --git a/test/integration/concierge_impersonation_proxy_test.go b/test/integration/concierge_impersonation_proxy_test.go index a0397f89d..dff36ac0e 100644 --- a/test/integration/concierge_impersonation_proxy_test.go +++ b/test/integration/concierge_impersonation_proxy_test.go @@ -380,7 +380,6 @@ func TestImpersonationProxy(t *testing.T) { //nolint:gocyclo // yeah, it's compl // set credential issuer to have new annotation to ensure the idle timeout is long enough on AWS. // this also ensures that updates to the credential issuer impersonation proxy spec go through if impersonatorShouldHaveStartedAutomaticallyByDefault && clusterSupportsLoadBalancers { - // configure the credential issuer spec to have the impersonation proxy in auto mode updateCredentialIssuer(ctx, t, env, adminConciergeClient, conciergev1alpha.CredentialIssuerSpec{ ImpersonationProxy: &conciergev1alpha.ImpersonationProxySpec{ Mode: conciergev1alpha.ImpersonationProxyModeAuto, @@ -1201,6 +1200,40 @@ func TestImpersonationProxy(t *testing.T) { //nolint:gocyclo // yeah, it's compl }) }) + t.Run("running impersonation proxy with ClusterIP service", func(t *testing.T) { + if env.Proxy == "" { + t.Skip("Skipping ClusterIP test because squid proxy is not present") + } + clusterIPServiceURL := fmt.Sprintf("%s.%s.svc.cluster.local", impersonationProxyClusterIPName(env), env.ConciergeNamespace) + updateCredentialIssuer(ctx, t, env, adminConciergeClient, conciergev1alpha.CredentialIssuerSpec{ + ImpersonationProxy: &conciergev1alpha.ImpersonationProxySpec{ + Mode: conciergev1alpha.ImpersonationProxyModeEnabled, + ExternalEndpoint: clusterIPServiceURL, + Service: conciergev1alpha.ImpersonationProxyServiceSpec{ + Type: conciergev1alpha.ImpersonationProxyServiceTypeClusterIP, + }, + }, + }) + // Wait until the clusterip exists + library.RequireEventuallyWithoutError(t, func() (bool, error) { + return hasImpersonationProxyClusterIPService(ctx, env, adminClient) + }, 30*time.Second, 500*time.Millisecond) + + newImpersonationProxyURL, newImpersonationProxyCACertPEM := performImpersonatorDiscovery(ctx, t, env, adminConciergeClient) + + refreshedCredentials := refreshCredential(t, impersonationProxyURL, impersonationProxyCACertPEM).DeepCopy() + kubeconfig := impersonationProxyRestConfig(refreshedCredentials, newImpersonationProxyURL, newImpersonationProxyCACertPEM, nil) + kubeconfig.Proxy = kubeconfigProxyFunc(t, env.Proxy) + + client := library.NewKubeclient(t, kubeconfig).Kubernetes + + // everything should work properly through the cluster ip service + t.Run( + "access as user", + library.AccessAsUserTest(ctx, env.TestUser.ExpectedUsername, client), + ) + }) + t.Run("manually disabling the impersonation proxy feature", func(t *testing.T) { // Update configuration to force the proxy to disabled mode updateCredentialIssuer(ctx, t, env, adminConciergeClient, conciergev1alpha.CredentialIssuerSpec{ @@ -1503,6 +1536,17 @@ func loadBalancerHasAnnotations(ctx context.Context, env *library.TestEnv, clien return service.Spec.Type == corev1.ServiceTypeLoadBalancer && hasExactAnnotations, nil } +func hasImpersonationProxyClusterIPService(ctx context.Context, env *library.TestEnv, client kubernetes.Interface) (bool, error) { + service, err := client.CoreV1().Services(env.ConciergeNamespace).Get(ctx, impersonationProxyClusterIPName(env), metav1.GetOptions{}) + if k8serrors.IsNotFound(err) { + return false, nil + } + if err != nil { + return false, err + } + return service.Spec.Type == corev1.ServiceTypeClusterIP, nil +} + func impersonationProxyTLSSecretName(env *library.TestEnv) string { return env.ConciergeAppName + "-impersonation-proxy-tls-serving-certificate" } @@ -1515,6 +1559,10 @@ func impersonationProxyLoadBalancerName(env *library.TestEnv) string { return env.ConciergeAppName + "-impersonation-proxy-load-balancer" } +func impersonationProxyClusterIPName(env *library.TestEnv) string { + return env.ConciergeAppName + "-impersonation-proxy-cluster-ip" +} + func credentialIssuerName(env *library.TestEnv) string { return env.ConciergeAppName + "-config" }